Job vs. Media Pool Encryption

[Vejete]

Greetings! I've searched the forums but did not turn up an answer, and I'd like a sanity check if possible.

If I have encryption enabled within a backup copy job and also as a property of the tape media pool I'm using for that job, I get hardware compression at the tape drive only, right? I'm assuming that in this scenario, the job option for (software) encryption is ignored.

Thanks for your time and advice.

[foggy]

Hi Jim, if encryption is enabled both in the backup copy job and media pool, data on tape will be encrypted twice. Hardware encryption, however, has a higher priority, Veeam B&R will disable its software encryption if hardware encryption is enabled for the tape device.

[Vejete]

Thanks foggy, but I thought it would only be encrypted twice if the original backup job had encrypted the backup file on disk. If you then copy that (encrypted) backup file to tape with encryption enabled, yes, it will be doubly encrypted.

Let me reword my original question.
1. Backup file on disk has no encryption.
2. Backup COPY job has encryption enabled.
3. Tape media pool being used by the copy job also has encryption enabled.
4. In this case, I presume that Veeam software encryption at the job level will be ignored because hardware compression at the tape drive takes priority.

Correct or not?

[veremin]

Nope, if backup copy job with encryption enabled is a source pf backup to tape job that is pointed to media pool with encryption enabled, a data will be encrypted twice.

[Vejete]

Okay, I think I get it now.



The highlighted notation above is relevant only to the tape drive and media pool and will have no effect on the job that uses the media pool. So for the media pool (and drives) alone, what the notation is saying is that if the tape drive is incapable of providing hardware-based encryption, Veeam will step in and provide its own software encryption at (I presume) the tape server. But as you all have stated, we would be double-encrypting data because the stream was already encrypted at the source by the backup copy job since we enabled encryption in the advanced settings of the backup copy job.

The wording is very important here, and I think this is one of the things that gave me grief on the VMCE exam.

Thank you all kindly for your guidance and feedback. Much appreciated!

[veremin]

what the notation is saying is that if the tape drive is incapable of providing hardware-based encryption, Veeam will step in and provide its own software encryption at (I presume) the tape server

Correct.

[Vejete]

Spending some time in a Veeam lab now, and I believe I've discovered a fundamental misunderstanding on my part.

When I create a media pool, there is as we see an option to enable encryption and provide a password.



Any copy to tape job that writes to media in that pool will result in the copy on tape being encrypted - either by tape drive HW encryption or Veeam software encryption if the drive is incapable of HW encryption. I'm good there.

My eureka moment came when I went back and looked at every aspect of a copy to tape job. Know what I didn't find? Any place in the tape job to enable encryption and set a password.

So in essence, my original question was faulty. The only encryption option in the whole copy to tape process flow lies within the properties of the target media pool being used.

Now, referring back to one of the previous answers, yes, I do understand that:

1. IF the source vbk was encrypted by a backup (or backup copy) job,
2. AND the subsequent copy to tape job writes that encrypted vbk to a media pool with encryption enabled,
3. THEN you will need both the tape media password and the backup job password to restore from tape because the data on tape is doubly encrypted.

Thank you everyone for your kind assistance. I apologize for my noob questions. Even though I have 20 years of BURA experience (DP, NBU, TSM, CV, etc.), I've so little stick time with Veeam that it's taking a bit to ferret-out features and how they integrate.

[haslund]

Notice how the first screen is of a Backup Server connected to Veeam Backup Enterprise Manager and the second one is not.

[Vejete]

Yes, I pulled the screenshots from two different environments days apart. The presence or absence of Enterprise Manager was incidental and not germane to the question at hand. Nice catch, though.